Private Right of Action under CASL coming July 2017

Canada’s Anti-Spam Law came into force on July 1, 2014.  Since then, all eyes have been on the Canadian Radio-television and Telecommunications Commission (CRTC) for decisions concerning CASL violations.  In the cases made public to date, monetary penalties or settlement payments have ranged from $48,000 to $1.1 million.  Canadian and foreign companies have learned some things in the past two years about how CASL applies to their business, and many have taken steps to put in place policies and procedures to avoid violations.

Whatever steps you have taken to date, 2017 will be the time to revisit CASL compliance. 

On July 1, 2017, the private right of action (PRA) comes into force under CASL.  An individual or organization who is affected by a contravention may litigate to enforce the new private rights directly.  While CASL does not expressly provide for class actions, it is broadly expected that such actions will be launched to permit large numbers of applicants (for example, the recipients of alleged spam) to pursue compensation as a group.

Where the court finds a violation, it may order not only compensation for the applicant’s damages, but also monetary payments up to the following amounts:

  • for sending commercial electronic messages contrary to CASL – $200 per contravention, to a maximum of $1 million for each day that the conduct occurred
  • for altering the transmission data of a commercial electronic message – a maximum of $1 million for each day that the conduct occurred
  • for installing apps or other computer programs contrary to CASL – a maximum of $1 million for each day that the conduct occurred
  • for scraping, generating or otherwise accessing electronic addresses contrary to PIPEDA – a maximum of $1 million for each day that the conduct occurred
  • for sending commercial electronic messages with false or misleading information, including sender, locator or subject matter information, contrary to the Competition Act – $200 per contravention, to a maximum of $1 million for each day that the conduct occurred

When the court sets the amount to be paid, it must consider the purpose of the payment order – which “is to promote compliance…and not to punish”, the nature and scope of the violation, the history of compliance, any financial benefit or compensation from the conduct, ability to pay, and “any other relevant factor”, when setting the amount to be paid.

CASL also provides for extended liability.  Directors, officers, agents or mandataries of a corporation may be liable if they directed, authorized, assented to or participated in the contravention.  Where an employee’s conduct in the course of his or her employment breaches CASL, the employer may be vicariously liable.

Revisiting CASL

CASL provides that where a person establishes that they exercised due diligence to prevent a violation, they cannot be found to have contravened CASL.  Despite this provision, a number of well-meaning businesses have been found offside CASL’s provisions, have made significant penalty or settlement payments, and in some cases have received negative media coverage for their failure to meet CASL requirements.

In July 2017, the risk exposure will increase.  Now is the time to revisit your CASL compliance.

  1. Discuss with your Board and Senior Management team why you need to revisit CASL in 2017.
  2. Make sure that you have a CASL Compliance Policy and Procedure that covers your operations, and that is easy for employees to understand and use.
  3. Ensure that existing and new employees have access to – and receive appropriate training in – the Policy and Procedure.
  4. Conduct an audit under the Compliance Policy and Procedure, including how consent is obtained and documented; whether unsubscribe requests are fulfilled quickly; whether CASL-compliant message templates are consistently used; how complaints are addressed (etc.).
  5. Consider whether you need to check in with service providers (to send messages or install apps or other computer programs) about their CASL compliance.
  6. Consider whether service provider contracts include the appropriate clauses to address CASL compliance, liability, and indemnification.

See also:

Lessons Learned: E-Learning Company Faces $50K Spam Fine

CRTC Enforcement Advisory – Records to Show Consent

Privacy Law and Anti-Spam – Guidance from the Office of the Privacy Commissioner

Canada’s Anti-Spam Law: Not just for Canadians

CASL Applies to Software January 15 2015

New CASL Compliance and Enforcement Guidelines


Kiev Power Outage Linked To Cyber Attacks

A Kiev power outage last weekend in Ukraine has been linked to a cyber attack, which is worryingly similar to an attack that happened around the same time last year. Sub-stations and transmission stations have always been a weak point for nation-state attacks as EVERYTHING relies on them now. Plus with smart grids and remotely […] The post...

Read the full post at

Did You Forget to Patch Your IP Camera?


IP cameras are usually “purchase, install, and don’t touch” devices. But in the current climate of cyberattacks, they now require regular updates and patches. Otherwise your security tool may be hacked, leak video, or join a cybercriminal botnet without your knowing.

IP cameras are targets

Like all Internet-connected devices, IP cameras are at risk of attack from online threats. Recent attacks have shown just how easy it is to hack hundreds of thousands of cameras, TVs, routers, and DVRs. Manufacturers are working to remediate the known weaknesses by providing patches. But in most cases, the upgrades require the owners to take action.

Sony recently released new firmware for 80 models of its IP cameras, to improve their resistance against cyberattacks. They are not alone, as many of the biggest manufacturers of IP cameras, including Siemens and Foscam, have issued a variety of updates in the past year. Manufacturers that release patches are doing a service for their customers. Internet of Things (IoT) devices require continual updates as threats in cyberspace adapt. Our technology must also keep pace or fall victim.

We are all affected

All IP camera owners must understand their roles and responsibilities. It is up to owners to keep their IoT devices patched, including the computers and phones connecting to them. Having our devices compromised can impact our security, safety, and privacy. It can also impact others. A recent attack brought down much of the east coast of the United States when a major domain name service was attacked by tens of thousands of hacked IoT devices, including IP cameras. Such outages, fueled by IoT botnets, are becoming more common. By patching systems, we can protect ourselves and the larger Internet community.

Get patching!

Determine the manufacturer and model number of your camera. Visit the manufacturer’s website and look for updates and firmware patches. Follow the installation instructions carefully! If you connect via applications from your phone or PC, also make sure you have the latest software.

We are all digitally connected and all have a responsibility to do no harm to our collective communication resource, the Internet. Patch and stay current. We all thank you.


Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

The post Did You Forget to Patch Your IP Camera? appeared first on McAfee Blogs.